Troldesh

Troldesh is ransomware — a malware that demands a payment in order to unlock encrypted files. It is also can search and steal information from the banking programs if such are found on the infected machine.

Type
Ransomware
Origin
Unknown
First seen
1 January, 2014
Last seen
26 July, 2021
Also known as
Encoder.858
Global rank
17
Week rank
19
Month rank
34
IOCs
652

What is Troldesh?

Troldesh, also know as Encoder.858 is ransomware belonging to the Shade ransomware family. It was created in 2014. The malware encrypts files on the victim’s machine and demands a ransom for the data to be restored.

Attempting to get as much information as possible the malware also scans the target PC for banking files or banking programs, in an effort to squeeze every last penny.

General description of Troldesh

Attacking Windows users mainly in Russia, Ukraine, and Germany, Troldesh is one of the three most commonly used encryption software in Russia.

In addition to this behavior, Troldesh ransomware often comes in conjunction with two particular malware samples, namely Mexar, and Teamspy, which allows attackers to control the victim's PC remotely and gives the virus the ability to install other malware on the infecting PC.

In fact, unlike most other ransomware, this virus does not stop executing after encrypting the victim’s files but instead starts an infinite loop where it requests URLs of other malicious programs from the command server, downloading and installing them on a contaminated machine. This means that most victims contaminated with Troldesh, in fact, may end up with a whole host of infections on their PC.

Even though the malware itself has not evolved a lot throughout its lifespan, the method which attackers use to demand the ransom has changed. The first malware samples used to provide an email address at which the victim could contact the hackers and negotiate the payment, whereas in newer campaigns ransom node demands victims to use the Tor browser in order to navigate to a payment page that is located on the Dark Web.

Being a part of the Shade family, Trodlesh shares several familiarities with related malware. As such, all members of the family are written in C++ and utilize CTL. Another shared feature is a static link with a Tor client. Every particular malware sample also has a hardcoded URL of the command server. Malicious programs of this family are also known to exhibit similar or identical behavior. As such, they create 10 identical ransom notes in two languages – Russian and English and name them README1.txt or README10.txt.

Troldesh malware analysis

A video simulation recorded on ANY.RUN allows us to examine the lifecycle of the Troldesh malware in a lot of detail.

process graph of a troldesh ransomware execution Figure 1: Process graph generated by ANY.RUN helps us visualize the life cycle of the virus

Troldesh execution process

Troldesh ransomware is spread in the form of a script file, either Javascript or JScript. Usually, these files are packed in an archive file, that is sometimes protected with a password. In the simulation performed on ANY.RUN, after a script file was unpacked and launched, it installed an executable file from the internet. It should be noted, that in the case of Troldesh, executable files normally have "not suspicious" extensions along the likes of .jpg. After being downloaded, the files are renamed and executed.

As shown in the ANY.RUN simulation, after running, the file immediately began performing malicious activity, namely: encrypting files, stealing personal data, deleting shadow copies and changing autorun values in the registry. Files encrypted by the latest versions of Troldesh are known to have .crypted000007 extension which was also the case in our simulation. Lastly, after encryption was completed the malicious executable file dropped ransomware instructions on the desktop.

process tree of a troldesh ransomware execution Figure 2: Process tree of a Troldesh ransomware execution

How to avoid infection by Troldesh?

Since Troldesh is commonly distributed using malspam campaigns that mimic real company newsletters, a good way of staying safe is thoroughly checking for the authenticity of emails before downloading any attachments. If necessary, one can get in touch with a company who is the presumable author of the newsletter and verify that they have, in fact, sent the email.

Once infected, Troldesh installs several secondary malware samples on the victim’s PC, thus after Troldesh itself is cleansed from the PC, it is important to conduct a global system scan and make sure that one’s machine is not swarming with other viruses as well.

Distribution of Troldesh

Troldesh ransomware is known to utilize two main attack vectors – email spam and exploit kits. Malspam campaigns usually mimic legitimate information newsletters from real Russian companies, including banks and large supermarket chains. The emails themselves contain an archive file in which another script file is included.

Upon unpacking the archive and clicking on the file, a malicious loader is installed. It in turn downloads and installs the main payload – Troldesh itself. The loader is known to be stored on legitimate but compromised Wordpress websites where it is hidden as an image file.

Troldesh is also known to utilize Axpergle and Nuclear exploit kits, and these attacks are, arguably, even more dangerous than email spam as they don’t require active actions from the user for contamination process to begin. Instead, upon visiting a compromised URL, which can be a website hosted by the attackers or a legitimate website that has been hacked, the malware utilizes a vulnerability either in the browser itself or in one of the browser plugins, successfully penetrating into the users PC and starting the execution automatically. Thus, victims can get infected without ever realizing the danger.

Communication with C&C

Address information of C&C servers is embedded in the body of each malware sample. Servers themselves are hosted on the dark web and communication is established with the use of a Tor client.

Once installed on a victim's PC, the malware requests a public key value from the server to encrypt the victim’s files. Should the connection attempt fail, the virus uses one of one hundred private key values stored in its memory.

How to detect Troldesh using ANY.RUN?

Since Troldesh ransomware writes into registry analysts can detect it by looking at registry keys. Choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a value "906D0F2E2F604F839E04" with the name "xi" into the key HKLM\SOFTWARE\System32\Configuration it's Troldesh.

Registry changes created by Troldesh Figure 3: Registry changes created by Troldesh

Conclusion

Troldesh is an extremely dangerous ransomware that is able to contaminate victims who simply end up browsing to the wrong place at the wrong time, ending up on a website hacked by the attackers. Unlike much other ransomware that simply demands money in exchange for user’s encrypted data, Troldesh doesn’t stop there and goes the extra mile to spread other dangerous malware samples on a victim’s PC.

Utilizing analysis services like ANY.RUN is a great way to examine the virus from a safe environment and develop a sufficient defense strategy.

P.S.

On the 27th April, 2020 authors behind Troldesh ransomware announced that they stopped distribution of the ransomware and publish the decryption keys with decryption soft and instructions. They said that apologize to all the victims of the trojan and hope that the keys they published will help them to recover their data. You can take a look at the task in which their keys and tool were used to decrypt data.

IOCs

IP addresses
104.16.155.36
66.171.248.178
104.16.154.36
192.168.100.172
Hashes
9b3af0dd248f86114a0c042e4385649ff294707479a85006a7dd384071213890
d28fce3da7c4757f932f30a69f76da27f030e609cf7195a78a3ca2ef1dd413a2
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
e96a094f4565044331600f9e404f92cd3fd1a75061c0af76f1926f2f7914ce44
8d0c39777ac5ab85f55144297ed1aebf27980191b127921eb9a5b26ff9bc1a07
c196b338ccf99642dcf4ce6d349fdd357ec5c6b565182c6fe54049e8d2934a69
f5515fcf3a3e991b20daf6b3e9eb5381bbcfe7ba9dac74da90f77e22f40425dc
4e5552c30a10b336bc0805661a08da32b0b09294446721a38ace60a350890bc9
c6ed9060470627727d8d0dbb1dc20780d3c2b769fe4df575534158735cc8dda0
4208d0d73b3a328c934ea9a1938dcddb0a1a202c77dddea31268994bb860a57b
9a685a13fdb00733a29ac3ad9e6a7fa3a810a2243a4b2d6a0e44821dea44fe71
6e19be50ee72638965c61619ccd7d03f0c2a90cf2f31f39cdbb425527d81e2b6
f2a1a0aeb3172e398da12d22f39557d489c43964882dcaf6a3def186fb672bdb
72deafcbd25b26aa25dd08cb0f18722f65324aef244a472a78dc8686e3345748
4688f7c0e0bb5dc3b00e80130514ce4b1c27e5bdbbaef9bcfb836abf1065710e
fb142143b7efdbb03e23a1c366208ffa4cba9131e674fb196e6611f7f76f7c8e
c02153dce99eb8730806cfe19a3f29e3d4e3fad796f4eb15962b74fb2e55fe47
34f3e2a247fecfa3a54d6436836f6006c0d027ddad59d69d270a42b2d02a3c83
d8baad26a4b1cc0357f5a6da3da448186541b588315caf3e142293dca7775447
a55edfe9847915a7f2a505f928be7bfc7a867ba226e3578fd768ab4a423aa62a
Domains
elx01.knas.systems
isns.net
e8960.b.akamaiedge.net
majul.com
qxq.ddns.net
www.whatismyipaddress.com
www.whatsmyip.net
www.planiligue.com
hunterdekaron.net
bb-sandonato.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More